Microsoft Security Bulletin MS15-026 - Important

In this article

Executive Summary

This security update resolves vulnerabilities in Microsoft Exchange Server. The most severe of the vulnerabilities could allow elevation of privilege if a user clicks a specially crafted URL that takes them to a targeted Outlook Web App site. An attacker would have no way to force users to visit a specially crafted website. Instead, an attacker would have to convince them to visit the website, typically by getting them to click a link in an instant messenger or email message that takes them to the attacker's website, and then convince them to click the specially crafted URL.

This security update is rated Important for all supported editions of Microsoft Exchange Server 2013. For more information, see the Affected Software section.

The security update addresses the vulnerabilities by correcting how Exchange Server sanitizes page content in Outlook Web App and by correcting the way Exchange validates meeting organizer authenticity when accepting, scheduling, or modifying meeting requests in Exchange calendars. For more information about the vulnerabilities, see the Vulnerability Information section.

Affected Software

The following software versions or editions are affected. Versions or editions that are not listed are either past their support life cycle or are not affected. To determine the support life cycle for your software version or edition, see Microsoft Support Lifecycle.

Update FAQ

Severity Ratings and Vulnerability Identifiers

The following severity ratings assume the potential maximum impact of the vulnerability. For information regarding the likelihood, within 30 days of this security bulletin's release, of the exploitability of the vulnerability in relation to its severity rating and security impact, please see the Exploitability Index in the March bulletin summary.

Vulnerability Information

Multiple OWA XSS Vulnerabilities

Elevation of privilege vulnerabilities exist when Microsoft Exchange Server does not properly sanitize page content in Outlook Web App. An attacker could exploit these vulnerabilities by modifying certain properties within Outlook Web App and then convincing users to browse to the targeted Outlook Web App site. An attacker who successfully exploited these vulnerabilities could run script in the context of the current user. The script could then, for example, use the victim's identity to take actions on the affected Outlook Web App site on behalf of the victim with the same permissions as the current user. Any system that is used to access an affected version of Outlook Web App would potentially be at risk to attack. The update addresses the vulnerabilities by correcting how Exchange Server sanitizes page content in Outlook Web App.

For these vulnerabilities to be exploited, a user must click a specially crafted URL that takes the user to a targeted Outlook Web App site.

In an email attack scenario, an attacker could exploit the vulnerabilities by sending an email message containing the specially crafted URL to the user of the targeted Outlook Web App site and convincing the user to click the specially crafted URL.

In a web-based attack scenario, an attacker would have to host a website that contains a specially crafted URL to the targeted Outlook Web App site that is used to attempt to exploit these vulnerabilities. In addition, compromised websites and websites that accept or host user-provided content could contain specially crafted content that could exploit these vulnerabilities. An attacker would have no way to force users to visit a specially crafted website. Instead, an attacker would have to convince them to visit the website, typically by getting them to click a link in an instant messenger or email message that takes them to the attacker's website, and then convince them to click the specially crafted URL.

The following table contains links to the standard entry for each vulnerability in the Common Vulnerabilities and Exposures list:

A spoofing vulnerability exists in Exchange Server when Exchange fails to properly validate meeting organizer identity when accepting or modifying meeting requests. An attacker who successfully exploited this vulnerability could then use the vulnerability to schedule or modify meetings while appearing to originate from a legitimate meeting organizer. Customers using affected versions of Exchange Server are at risk for this vulnerability. The update addresses the vulnerability by correcting the way Exchange validates meeting organizer authenticity when accepting, scheduling, or modifying meeting requests in Exchange calendars.

Microsoft received information about this vulnerability through coordinated vulnerability disclosure. When this security bulletin was issued, Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers.

Security Update Deployment

Acknowledgments

Microsoft recognizes the efforts of those in the security community who help us protect customers through coordinated vulnerability disclosure. See Acknowledgments for more information.

Disclaimer

The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions

V1.0 (March 10, 2015): Bulletin published.

Page generated 2015-03-04 13:08Z-08:00.

Note

The feedback system for this content will be changing soon. Old comments will not be carried over. If content within a comment thread is important to you, please save a copy. For more information on the upcoming change, we invite you to read our blog post.